From: seolheui, kim Date: Fri, 3 Aug 2018 08:51:52 +0000 (+0900) Subject: [Draft] Add audit analyzer tool for demonstration X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fheads%2Fdrafts%2Fdemo;p=platform%2Fcore%2Fsecurity%2Faudit-trail.git [Draft] Add audit analyzer tool for demonstration Change-Id: I717cb6b33d040a242a47a1a3e17ad0e8dfb2fc55 Signed-off-by: seolheui, kim --- diff --git a/packaging/audit-trail.spec b/packaging/audit-trail.spec index 5437848..662b390 100755 --- a/packaging/audit-trail.spec +++ b/packaging/audit-trail.spec @@ -146,3 +146,18 @@ The audit-trail-tests package contains the testcases needed to test audit functi %attr(700,root,root) %{_sbindir}/audit-trail-rules-test %attr(700,root,root) %{_sbindir}/audit-trail-overhead-test %{audit_base_dir}/test_module.ko + +%package -n audit-trail-sample +Summary: Sample tools for audit trail demonstration +Group: Security/Testing +BuildRequires: pkgconfig(capi-appfw-app-manager) +BuildRequires: pkgconfig(libtzplatform-config) +Requires: %{name} = %{version}-%{release} + +%description -n audit-trail-sample +The audit-trail-sample package contains test tools for demonstration + +%files -n audit-trail-sample +%manifest audit-trail.manifest +%defattr(644,root,root,755) +%attr(700,root,root) %{_sbindir}/audit-analyzer diff --git a/tools/CMakeLists.txt b/tools/CMakeLists.txt index 416c4b2..46ba35b 100755 --- a/tools/CMakeLists.txt +++ b/tools/CMakeLists.txt @@ -15,6 +15,8 @@ # SET(AUDIT_TRAIL_CLI ${AUDIT_TRAIL_TOOLS}/cli) SET(AUDIT_TRAIL_TEST ${AUDIT_TRAIL_TOOLS}/tests) +SET(AUDIT_TRAIL_SAMPLE ${AUDIT_TRAIL_TOOLS}/sample) ADD_SUBDIRECTORY(${AUDIT_TRAIL_CLI}) ADD_SUBDIRECTORY(${AUDIT_TRAIL_TEST}) +ADD_SUBDIRECTORY(${AUDIT_TRAIL_SAMPLE}) diff --git a/tools/sample/CMakeLists.txt b/tools/sample/CMakeLists.txt new file mode 100755 index 0000000..4458ca1 --- /dev/null +++ b/tools/sample/CMakeLists.txt @@ -0,0 +1,18 @@ +# +# Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +SET(AUDIT_TRAIL_ANALYZER ${AUDIT_TRAIL_SAMPLE}/analysis) + +ADD_SUBDIRECTORY(${AUDIT_TRAIL_ANALYZER}) diff --git a/tools/sample/analysis/CMakeLists.txt b/tools/sample/analysis/CMakeLists.txt new file mode 100644 index 0000000..207b32c --- /dev/null +++ b/tools/sample/analysis/CMakeLists.txt @@ -0,0 +1,50 @@ +# +# Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +SET(TOOL_NAME audit-analyzer) +SET(TOOL_SRCS + main.cpp + analyzer.cpp) +SET(TOOL_CHECKER + checker/checker.cpp + checker/unix-socket.cpp + checker/inet-socket.cpp + checker/bruteforce.cpp + checker/modify-dac.cpp + checker/modify-mac.cpp + checker/modify-mac-policy.cpp + checker/use-kernel.cpp + checker/mount-device.cpp + checker/debugging.cpp + checker/privilege.cpp + checker/modify-host.cpp + checker/modify-arp.cpp) +SET(DEPENDENCY + klay + capi-appfw-app-manager + libtzplatform-config + glib-2.0) + +ADD_EXECUTABLE(${TOOL_NAME} ${TOOL_SRCS} ${TOOL_CHECKER}) +PKG_CHECK_MODULES(TOOL_DEPS REQUIRED ${DEPENDENCY}) + +SET_TARGET_PROPERTIES(${TOOL_NAME} PROPERTIES COMPILE_FLAGS "-fPIE") +SET_TARGET_PROPERTIES(${TOOL_NAME} PROPERTIES LINK_FLAGS "-pie") + +INCLUDE_DIRECTORIES(SYSTEM ${TOOL_DEPS_INCLUDE_DIRS} ${AUDIT_TRAIL_LIB}) +TARGET_LINK_LIBRARIES(${TOOL_NAME} ${TOOL_DEPS_LIBRARIES} ${PROJECT_NAME} audit-trail) + +INSTALL(TARGETS ${TOOL_NAME} DESTINATION sbin) diff --git a/tools/sample/analysis/analyzer.cpp b/tools/sample/analysis/analyzer.cpp new file mode 100644 index 0000000..a4266c1 --- /dev/null +++ b/tools/sample/analysis/analyzer.cpp @@ -0,0 +1,177 @@ +/* + * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ +#include //[TODO]: removed +#include //[TODO]: removed +#include +#include +#include "analyzer.h" +#include "checker/checker.h" + +//TODO : removed +namespace { +std::vector detectedTag = { + "HijackUnixSocket", + "BruteforceDMCrypt", + "ModifyDAC", + "ModifyMAC", + "ModifyMACPolicy", + "MountDevice", + "ModifyLibraries", + "UseKernelModule", + "AccessPhishingSite", + "Debugging", + "PrivilegeEscalation", + "ModifyHostFile", + "ModifyARPTable", +}; +} + +AuditAnalyzer::AuditAnalyzer() + : auditTrail(nullptr), callbackId(0) +{ +} + +AuditAnalyzer::~AuditAnalyzer() +{ + terminate(); +} + +void AuditAnalyzer::run() +{ + //start analyzer + runMonitor(); + mainloop.run(); +} + +void AuditAnalyzer::terminate() +{ + //terminate analyzer + ::audit_trail_remove_system_log_cb(auditTrail, callbackId); + ::audit_trail_destroy(auditTrail); + mainloop.stop(); +} + +void AuditAnalyzer::runMonitor() +{ + //add callback to get system logs + audit_trail_create(&auditTrail); + if (auditTrail == nullptr) + throw runtime::Exception("Failed to create audit context"); + + std::cout << "Add callback to get system logs" << std::endl; + if (::audit_trail_add_system_log_cb(auditTrail, auditCallbackDispatcher, + reinterpret_cast(this), &callbackId) != 0) + throw runtime::Exception("Failed to add callback to audit-trail"); +} + +void AuditAnalyzer::auditCallbackDispatcher(void *log, void *data) +{ + AuditAnalyzer *analyzer = nullptr; + analyzer = reinterpret_cast(data); + analyzer->analysis(reinterpret_cast(log)); +} + +void AuditAnalyzer::analysis(SystemLog log) +{ + int type = Attack::Invalid; + Log parsedLog = {}; + parseLog(log, parsedLog); + + for (auto checker : CheckerFactory::list) { + type = checker->run(parsedLog); + if (type != Attack::Invalid) + break; + } + + if (type != Attack::Invalid) { + char *processName = nullptr; + int ret = ::app_manager_get_app_id(parsedLog.pid, &processName); + std::unique_ptr scopedPtr(processName); + + if (ret == APP_MANAGER_ERROR_NONE && ret != APP_MANAGER_ERROR_NO_SUCH_APP) { + std::cout << "PID :" << parsedLog.pid << " App id : " << std::string(processName) << std::endl; + parsedLog.subjectName.clear(); + parsedLog.subjectName.append(processName); + } + + sendNotification(type, parsedLog.subjectName); + } +} + +void AuditAnalyzer::parseLog(SystemLog log, Log &ret) +{ + std::unique_ptr scopedPtr; + char *sbjName = nullptr; + char *objName = nullptr; + + //get subject info + ::audit_system_log_get_subject_name(log, &sbjName); + scopedPtr.reset(sbjName); + ret.subjectName.append(sbjName); + + auto pos = ret.subjectName.rfind('/'); + pos = (pos == std::string::npos) ? 0 : pos + 1; + ret.subjectName = ret.subjectName.substr(pos, ret.subjectName.size()); + + ::audit_system_log_get_subject_pid(log, &ret.pid); + + //get syscall info + if (::audit_system_log_get_action_systemcall(log, &ret.syscall) != 0) + throw runtime::Exception("Failed to get syscall number"); + + if (::audit_system_log_get_action_arguments(log, &ret.args) != 0) + throw runtime::Exception("Failed to get syscall arguments"); + + if (::audit_system_log_get_action_exitcode(log, &ret.exitcode) != 0) + throw runtime::Exception("Failed to get syscall exit code"); + + //get object info + if (::audit_system_log_get_object_name(log, &objName) != 0) + throw runtime::Exception("Failed to get object name"); + scopedPtr.reset(objName); + ret.objectName.append(objName); + + pos = ret.objectName.rfind('/'); + if (pos == ret.objectName.size()-1) + ret.objectName = ret.objectName.substr(0, pos); + + //[TODO] get dev number + ::audit_system_log_get_object_dev(log, &ret.dev); + + //get socket type and address + if (::audit_system_log_get_object_sockaddr(log, NULL, &ret.sockFamily) != 0) + throw runtime::Exception("Failed to get socket address"); + + if (ret.sockFamily != -1) { + if (ret.sockFamily == AF_UNIX) { + if (::audit_system_log_get_object_sockaddr(log, + reinterpret_cast(&ret.unixAddr), &ret.sockFamily) != 0) + throw runtime::Exception("Failed to get socket address"); + } else if (ret.sockFamily == AF_INET) { + if (::audit_system_log_get_object_sockaddr(log, + reinterpret_cast(&ret.inetAddr), &ret.sockFamily) != 0) + throw runtime::Exception("Failed to get socket address"); + } + } +} + +void AuditAnalyzer::sendNotification(int result, const std::string &name) +{ + //call notification app + //test code : [TODO]to be removed + std::cout << "[Detected] : " << detectedTag[result] << std::endl; + std::cout << "[Suspicious Process] : " << name << std::endl; +} diff --git a/tools/sample/analysis/analyzer.h b/tools/sample/analysis/analyzer.h new file mode 100644 index 0000000..a6cf977 --- /dev/null +++ b/tools/sample/analysis/analyzer.h @@ -0,0 +1,57 @@ +/* + * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +#ifndef __AUDIT_ANALYZER_H__ +#define __AUDIT_ANALYZER_H__ + +#include +#include + +#include + +#include +#include +#include + +#include "type.h" +#include "checker/checker.h" + +class AuditAnalyzer final { +public: + using AuditTrail = audit_trail_h; + using SystemLog = audit_system_log_h; + + AuditAnalyzer(); + ~AuditAnalyzer(); + + void run(); + void terminate(); + +private: + void runMonitor(); + void analysis(SystemLog log); + + void parseLog(SystemLog log, Log &ret); + void sendNotification(int result, const std::string &name); + static void auditCallbackDispatcher(void *log, void *data); + +private: + runtime::Mainloop mainloop; + AuditTrail auditTrail; + int callbackId; +}; + +#endif /*__AUDIT_ANALYZER_H__*/ diff --git a/tools/sample/analysis/checker/bruteforce.cpp b/tools/sample/analysis/checker/bruteforce.cpp new file mode 100644 index 0000000..bac0c94 --- /dev/null +++ b/tools/sample/analysis/checker/bruteforce.cpp @@ -0,0 +1,45 @@ +/* + * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +#include "checker.h" + +class BruteforceChecker : public AuditChecker { +public: + BruteforceChecker(); + virtual ~BruteforceChecker(); + + int run(const Log &log); +private: + std::vector blackList; +}; + +BruteforceChecker::BruteforceChecker() +{ + blackList = { + "/dev/mapper/control", + }; +} + +BruteforceChecker::~BruteforceChecker() +{ +} + +int BruteforceChecker::run(const Log &log) +{ + return findOnList(blackList, log.objectName) ? Attack::BruteforceDMCrypt : Attack::Invalid; +} + +CheckerBuilder bruteforceChecker; diff --git a/tools/sample/analysis/checker/checker.cpp b/tools/sample/analysis/checker/checker.cpp new file mode 100644 index 0000000..b3c9d00 --- /dev/null +++ b/tools/sample/analysis/checker/checker.cpp @@ -0,0 +1,27 @@ +/* + * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +#include "checker.h" + +AuditChecker::AuditChecker() +{ +} + +AuditChecker::~AuditChecker() +{ +} + +std::vector CheckerFactory::list; diff --git a/tools/sample/analysis/checker/checker.h b/tools/sample/analysis/checker/checker.h new file mode 100644 index 0000000..ca58371 --- /dev/null +++ b/tools/sample/analysis/checker/checker.h @@ -0,0 +1,71 @@ +/* + * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +#ifndef __AUDIT_CHECKER_H__ +#define __AUDIT_CHECKER_H__ + +#include +#include +#include +#include + +#include "../type.h" + +class AuditChecker { +public: + AuditChecker(); + ~AuditChecker(); + + virtual int run(const Log &log) = 0; +protected: + template + bool findOnList(const std::vector &list, T target) + { + for (auto e : list) { + if (e == target) + return true; + } + return false; + } +}; + +class CheckerFactory { +public: + static std::vector list; +}; + +template +class CheckerBuilder { +public: + CheckerBuilder(); + ~CheckerBuilder(); +private: + std::unique_ptr checker; +}; + +template +CheckerBuilder::CheckerBuilder() +{ + checker.reset(new Checker{}); + CheckerFactory::list.push_back(checker.get()); +} + +template +CheckerBuilder::~CheckerBuilder() +{ +} + +#endif /*__AUDIT_CHECKER_H__*/ diff --git a/tools/sample/analysis/checker/debugging.cpp b/tools/sample/analysis/checker/debugging.cpp new file mode 100644 index 0000000..7f4af4f --- /dev/null +++ b/tools/sample/analysis/checker/debugging.cpp @@ -0,0 +1,45 @@ +/* + * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +#include "checker.h" + +class DebuggingChecker : public AuditChecker { +public: + DebuggingChecker(); + virtual ~DebuggingChecker(); + + int run(const Log &log); +private: + std::vector blackList; +}; + +DebuggingChecker::DebuggingChecker() +{ + blackList = { + __NR_ptrace, + }; +} + +DebuggingChecker::~DebuggingChecker() +{ +} + +int DebuggingChecker::run(const Log &log) +{ + return findOnList(blackList, log.syscall) ? Attack::Debugging : Attack::Invalid; +} + +CheckerBuilder debuggingChecker; diff --git a/tools/sample/analysis/checker/inet-socket.cpp b/tools/sample/analysis/checker/inet-socket.cpp new file mode 100644 index 0000000..a262008 --- /dev/null +++ b/tools/sample/analysis/checker/inet-socket.cpp @@ -0,0 +1,46 @@ +/* + * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +#include "checker.h" + +class InetSocketChecker : public AuditChecker { +public: + InetSocketChecker(); + virtual ~InetSocketChecker(); + + int run(const Log &log); +private: + std::vector blackList; +}; + +InetSocketChecker::InetSocketChecker() +{ + blackList = { + "121.189.57.82", + }; +} + +InetSocketChecker::~InetSocketChecker() +{ +} + +int InetSocketChecker::run(const Log &log) +{ + std::string address(::inet_ntoa(log.inetAddr.sin_addr)); + return findOnList(blackList, address) ? Attack::AccessPhishingSite : Attack::Invalid; +} + +CheckerBuilder inetSocketChecker; diff --git a/tools/sample/analysis/checker/modify-arp.cpp b/tools/sample/analysis/checker/modify-arp.cpp new file mode 100644 index 0000000..f4f850a --- /dev/null +++ b/tools/sample/analysis/checker/modify-arp.cpp @@ -0,0 +1,50 @@ +/* + * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +#include "checker.h" + +class ModifyARPChecker : public AuditChecker { +public: + ModifyARPChecker(); + virtual ~ModifyARPChecker(); + + int run(const Log &log); +private: + std::vector blackList; +}; + +ModifyARPChecker::ModifyARPChecker() +{ + blackList = { + __NR_ioctl, + __NR_socket, + }; +} + +ModifyARPChecker::~ModifyARPChecker() +{ +} + +int ModifyARPChecker::run(const Log &log) +{ + //TODO : check if a1 = 0x8955 + if (findOnList(blackList, log.syscall) && log.args[1] == 0x8955) + return Attack::ModifyARPTable; + + return Attack::Invalid; +} + +CheckerBuilder modifyARPChecke; diff --git a/tools/sample/analysis/checker/modify-dac.cpp b/tools/sample/analysis/checker/modify-dac.cpp new file mode 100644 index 0000000..2e1ae35 --- /dev/null +++ b/tools/sample/analysis/checker/modify-dac.cpp @@ -0,0 +1,55 @@ +/* + * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +#include "checker.h" + +class ModifyDacChecker : public AuditChecker { +public: + ModifyDacChecker(); + virtual ~ModifyDacChecker(); + + int run(const Log &log); +private: + std::vector blackList; +}; + +ModifyDacChecker::ModifyDacChecker() +{ + blackList = { + __NR_chown, + __NR_fchown, + __NR_fchownat, + __NR_lchown, + __NR_lchown32, + __NR_chmod, + __NR_fchmod, + __NR_fchmodat, + }; +} + +ModifyDacChecker::~ModifyDacChecker() +{ +} + +int ModifyDacChecker::run(const Log &log) +{ + if (log.syscall == __NR_chmod && !log.objectName.compare("/etc/ld.so.conf")) + return Attack::ModifyLibraries; + + return findOnList(blackList, log.syscall) ? Attack::ModifyDAC : Attack::Invalid; +} + +CheckerBuilder modifyDacChecker; diff --git a/tools/sample/analysis/checker/modify-host.cpp b/tools/sample/analysis/checker/modify-host.cpp new file mode 100644 index 0000000..786dcca --- /dev/null +++ b/tools/sample/analysis/checker/modify-host.cpp @@ -0,0 +1,45 @@ +/* + * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +#include "checker.h" + +class ModifyHostChecker : public AuditChecker { +public: + ModifyHostChecker(); + virtual ~ModifyHostChecker(); + + int run(const Log &log); +private: + std::vector blackList; +}; + +ModifyHostChecker::ModifyHostChecker() +{ + blackList = { + "/etc/hosts", + }; +} + +ModifyHostChecker::~ModifyHostChecker() +{ +} + +int ModifyHostChecker::run(const Log &log) +{ + return findOnList(blackList, log.objectName) ? Attack::ModifyHostFile : Attack::Invalid; +} + +CheckerBuilder modifyHostChecker; diff --git a/tools/sample/analysis/checker/modify-mac-policy.cpp b/tools/sample/analysis/checker/modify-mac-policy.cpp new file mode 100644 index 0000000..d6c6d1f --- /dev/null +++ b/tools/sample/analysis/checker/modify-mac-policy.cpp @@ -0,0 +1,48 @@ +/* + * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +#include "checker.h" + +class ModifyMacPolicyChecker : public AuditChecker { +public: + ModifyMacPolicyChecker(); + virtual ~ModifyMacPolicyChecker(); + + int run(const Log &log); +private: + std::vector blackList; +}; + +ModifyMacPolicyChecker::ModifyMacPolicyChecker() +{ + blackList = { + "/etc/smack", + "/sys/fs/smackfs", + "/etc/cynara", + "/etc/nether", + }; +} + +ModifyMacPolicyChecker::~ModifyMacPolicyChecker() +{ +} + +int ModifyMacPolicyChecker::run(const Log &log) +{ + return findOnList(blackList, log.objectName) ? Attack::ModifyMACPolicy : Attack::Invalid; +} + +CheckerBuilder modifyMacPolicyChecker; diff --git a/tools/sample/analysis/checker/modify-mac.cpp b/tools/sample/analysis/checker/modify-mac.cpp new file mode 100644 index 0000000..1c56d14 --- /dev/null +++ b/tools/sample/analysis/checker/modify-mac.cpp @@ -0,0 +1,50 @@ +/* + * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +#include "checker.h" + +class ModifyMacChecker : public AuditChecker { +public: + ModifyMacChecker(); + virtual ~ModifyMacChecker(); + + int run(const Log &log); +private: + std::vector blackList; +}; + +ModifyMacChecker::ModifyMacChecker() +{ + blackList = { + __NR_setxattr, + __NR_lsetxattr, + __NR_fsetxattr, + __NR_removexattr, + __NR_lremovexattr, + __NR_fremovexattr, + }; +} + +ModifyMacChecker::~ModifyMacChecker() +{ +} + +int ModifyMacChecker::run(const Log &log) +{ + return findOnList(blackList, log.syscall) ? Attack::ModifyMAC : Attack::Invalid; +} + +CheckerBuilder modifyMacChecker; diff --git a/tools/sample/analysis/checker/mount-device.cpp b/tools/sample/analysis/checker/mount-device.cpp new file mode 100644 index 0000000..6951952 --- /dev/null +++ b/tools/sample/analysis/checker/mount-device.cpp @@ -0,0 +1,49 @@ +/* + * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +#include "checker.h" + +class MountDeviceChecker : public AuditChecker { +public: + MountDeviceChecker(); + virtual ~MountDeviceChecker(); + + int run(const Log &log); +private: + std::vector blackList; +}; + +MountDeviceChecker::MountDeviceChecker() +{ + blackList = { + __NR_mount, + __NR_umount2, +#ifdef __NR_umount + __NR_umount, +#endif + }; +} + +MountDeviceChecker::~MountDeviceChecker() +{ +} + +int MountDeviceChecker::run(const Log &log) +{ + return findOnList(blackList, log.syscall) ? Attack::MountDevice : Attack::Invalid; +} + +CheckerBuilder mountDeviceChecker; diff --git a/tools/sample/analysis/checker/privilege.cpp b/tools/sample/analysis/checker/privilege.cpp new file mode 100644 index 0000000..3c2684f --- /dev/null +++ b/tools/sample/analysis/checker/privilege.cpp @@ -0,0 +1,47 @@ +/* + * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +#include "checker.h" + +class PrivilegeChecker : public AuditChecker { +public: + PrivilegeChecker(); + virtual ~PrivilegeChecker(); + + int run(const Log &log); +private: + std::vector blackList; +}; + +PrivilegeChecker::PrivilegeChecker() +{ + blackList = { + __NR_setuid, + __NR_setuid32, + __NR_setreuid, + }; +} + +PrivilegeChecker::~PrivilegeChecker() +{ +} + +int PrivilegeChecker::run(const Log &log) +{ + return findOnList(blackList, log.syscall) ? Attack::PrivilegeEscalation : Attack::Invalid; +} + +CheckerBuilder privilegeChecker; diff --git a/tools/sample/analysis/checker/unix-socket.cpp b/tools/sample/analysis/checker/unix-socket.cpp new file mode 100644 index 0000000..a94a55e --- /dev/null +++ b/tools/sample/analysis/checker/unix-socket.cpp @@ -0,0 +1,56 @@ +/* + * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +#include "checker.h" + +class UnixSocketChecker : public AuditChecker { +public: + UnixSocketChecker(); + virtual ~UnixSocketChecker(); + + int run(const Log &log); +private: + std::vector blackList; +}; + +UnixSocketChecker::UnixSocketChecker() +{ + blackList = { + "/tmp", + }; +} + +UnixSocketChecker::~UnixSocketChecker() +{ +} + +int UnixSocketChecker::run(const Log &log) +{ + if (log.exitcode >= 0) + return Attack::Invalid; + + std::string tmp(log.unixAddr.sun_path); + auto pos = tmp.find_last_of('/'); + while (pos != std::string::npos) { + tmp = tmp.substr(0, pos); + if (findOnList(blackList, tmp)) + return Attack::HijackUnixSocket; + pos = tmp.find_last_of('/'); + } + return Attack::Invalid; +} + +CheckerBuilder unixSocketChecker; diff --git a/tools/sample/analysis/checker/use-kernel.cpp b/tools/sample/analysis/checker/use-kernel.cpp new file mode 100644 index 0000000..cd7aa03 --- /dev/null +++ b/tools/sample/analysis/checker/use-kernel.cpp @@ -0,0 +1,47 @@ +/* + * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +#include "checker.h" + +class UseKernelModuleChecker : public AuditChecker { +public: + UseKernelModuleChecker(); + virtual ~UseKernelModuleChecker(); + + int run(const Log &log); +private: + std::vector blackList; +}; + +UseKernelModuleChecker::UseKernelModuleChecker() +{ + blackList = { + __NR_init_module, + __NR_finit_module, + __NR_delete_module, + }; +} + +UseKernelModuleChecker::~UseKernelModuleChecker() +{ +} + +int UseKernelModuleChecker::run(const Log &log) +{ + return findOnList(blackList, log.syscall) ? Attack::UseKernelModule : Attack::Invalid; +} + +CheckerBuilder useKernelModuleChecker; diff --git a/tools/sample/analysis/main.cpp b/tools/sample/analysis/main.cpp new file mode 100644 index 0000000..6c70fdb --- /dev/null +++ b/tools/sample/analysis/main.cpp @@ -0,0 +1,59 @@ +/* + * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ +#include +#include +#include +#include "analyzer.h" + +void signalHandler(int signal) +{ + exit(0); +} + +class AnalyzerGMainLoop { +public: + AnalyzerGMainLoop() : + mainloop(::g_main_loop_new(NULL, FALSE), ::g_main_loop_unref) + { + handle = std::thread(g_main_loop_run, mainloop.get()); + } + ~AnalyzerGMainLoop() + { + while (!g_main_loop_is_running(mainloop.get())) { + std::this_thread::yield(); + } + ::g_main_loop_quit(mainloop.get()); + handle.join(); + } +private: + std::unique_ptr mainloop; + std::thread handle; +}; + +int main(int argc, char *argv[]) +{ + ::signal(SIGINT, signalHandler); + + try { + AnalyzerGMainLoop gmainloop; + AuditAnalyzer analyzer; + analyzer.run(); + } catch (runtime::Exception &e) { + std::cout << "Error : " << e.what() << std::endl; + return EXIT_FAILURE; + } + return EXIT_SUCCESS; +} diff --git a/tools/sample/analysis/type.h b/tools/sample/analysis/type.h new file mode 100644 index 0000000..933cc8c --- /dev/null +++ b/tools/sample/analysis/type.h @@ -0,0 +1,55 @@ +/* + * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +#ifndef __AUDIT_SUSPICIOUS_TYPE_H__ +#define __AUDIT_SUSPICIOUS_TYPE_H__ + +#include +#include +#include +#include + +enum Attack { + Invalid = -1, + HijackUnixSocket = 0, + BruteforceDMCrypt, + ModifyDAC, + ModifyMAC, + ModifyMACPolicy, + MountDevice, + ModifyLibraries, + UseKernelModule, + AccessPhishingSite, + Debugging, + PrivilegeEscalation, + ModifyHostFile, + ModifyARPTable, +}; + +struct Log { + unsigned int syscall; + dev_t dev; + std::string objectName; + std::string subjectName; + int sockFamily; + int exitcode; + pid_t pid; + unsigned int args[4]; + struct sockaddr_un unixAddr; + struct sockaddr_in inetAddr; +}; + +#endif /*__AUDIT_SUSPICIOUS_TYPE_H__*/